Avoiding the snags and snares in data breach reporting: What CISOs need to know

Failing to report sensitive data breaches to US regulatory and law enforcement agencies just got more dangerous and confusing for CISOs and their organizations. If that failure is seen as a coverup, such as paying ransoms for retrieving sensitive data, it could lead to steep fines or jail time.

In a case that is playing out now, Joe Sullivan, former Uber CISO, was recently charged under an ambiguous, arcane law that goes back to 1789 called misprision of a felony. In the charging documents, the FBI claims Sullivan’s actions of paying off the attackers to retrieve the data are akin to aiding and abetting a crime. If this case wins, it will grind businesses to a halt as they feel compelled to report anything that might appear to be a data-related crime against their organizations.

“Misprision is very subtle crime. The statutory words say that you commit a crime if you see a crime and don’t report it,” says Ben Wright, a well-known cyber attorney and SANS instructor. “The feds do not bring a lot of charges under this law because courts have long recognized that you can’t take those words literally or businesses would have to report almost anything that looks like a crime.”

Ransomware response just got more complicated

In another example, the US Department of Treasury on October 1 released an advisory saying that paying a ransom may be violating the Office of Foreign Assets Control (OFAC) against sanctioned ransomware operators. This advisory is supported and enforceable through the FBI, which two weeks ago issued a statement to CSO that the FBI would not charge businesses that pay ransomware operators.

These OFAC sanction requirements will be hard to follow because they count on victim organizations knowing who the ransomware operators are, which they usually don’t. The only sanctioned entities that OFAC provides are Lazarus from North Korea, BlueNorOff and AndAriel (believed to be units within Lazarus), and Evil Corp from Russia and its Dridex malware, so payment intermediaries will have to call Treasury’s cyber department, the FBI, DHS or Secret Service to check if the ransomware operators are part of a sanctioned group. Time is of the essence when a ransomware demand is made, especially when these payment intermediaries are working on behalf of health services organization with human lives on the line.

“Timing in a breach response is critical,” says Richard Stiennon, chief research analyst at IT-Harvest and former Gartner analyst. “From the time of the breach detection, CISOs are racing against the clock to reduce the time of data exposure while also conducting impact assessments.”

Enforcement agencies also differ on what they define as a reportable breach. According to the US Health and Human Services (HHS), a breach is “an impermissible use or disclosure … that compromises the security or privacy of the protected health information.” The revised decision in the Uber case refers to the breach as a “covered incident,” which means “any instance in which any United States federal, state, or local law or regulation requires notification that consumer personal information was collected or received, directly or indirectly, without authorization.”

Dealing with breach reporting ambiguities

“I have ambiguous cases all the time like this: Should ransomware attacks be reported, since they are federal crimes? What if you pay ransomware operators through your bug bounty program? Are you providing material support to the criminal after the fact?” says Mark Rasch, cyber attorney and founder of the US Department of Justice’s cybercrimes unit. “This is why it’s critical to have your legal team integrated with your incident responders. Don’t just rely on the word of the CISO, who may not get the whole story from his IR team.”

Start with a policy playbook based on the strictest regulatory requirements that applies to your business. Get sign-off on the plan and rehearse your response and reporting cycles in tabletop exercises, Steinnon advises. “Your policy should say, ‘We acknowledge a breach in X number of days internally with legal counsel.’ Then notify regulators in 72 hours, which is consistent with the strictest requirements set forth in GDPR, even if you are only partway into discovery,” he explains.

Steinnon also suggests learning the breach reporting requirements in your state, noting in particular the comprehensive California Consumer Privacy Act (CCPA). Know also the breach laws that mandate reporting directly to enforcement agencies, Rasch adds. For example, Gramm-Leach-Bliley Act (GLBA) notification is enforced through the Federal Trade Commission (FTC), with advice for reporting here. The FTC also enforces healthcare-related breach compliance that may not fall under the Health Insurance Portability and Accountability Act (HIPAA), while HIPAA-related breaches should be reported to HHS.    

Companies need a mature process for protecting data and responding to incidents. Otherwise, Rasch says, “When companies fail, the FTC will step in and compel them to do all of the things the companies should have done to protect data and provide documentation of that fact for 20 years.”

In Uber’s case, the company agreed to provide the FTC with bi-annual assessment reports for 20 years, along with compliance reports sworn under “penalty of perjury” around personnel changes, mergers, system changes or disillusion. Uber also agreed to follow a mandated data privacy program akin to the NIST Cybersecurity Framework.

Most of these requirements are common in post-breach agreements, but enforcement agencies also customize requirements specifically to each case, notes Rasch. For example, from the Fed’s point of view, Uber had misused its bounty program to pay off the hackers, so the FTC’s revised proposed order requires Uber to submit records related to bug bounty reports. This shouldn’t be a requirement in other settlements unless the bounty program had been similarly misused, he adds.

Rasch points to another example of a ransomware attack against cloud provider Blackbaud involving partial data exposure to ransomware attackers. Blackbaud had evidence to show that the data was wiped and was never otherwise exposed after Blackbaud paid the ransom. While probably not required to report, Blackbaud erred on the side of caution and reported. In return Blackbaud was sued in a class action lawsuit by its cloud customers who felt exposed.

“Before reporting to regulators and affected third parties, ask yourself if this is an actual data breach exposure that requires reporting,” Rasch advises. “If the data isn’t shared and it’s been erased, and you can prove that the breach is of no impact, then you are better off not reporting.”

Sticks over carrots

It’s clear that the feds are trying to compel businesses into better security practices to prevent reportable breaches from happening. The FTC has consolidated lessons learned from breach cases it investigated into a Start with Security framework of security fundamentals. The Treasury Department’s OFAC lays out a five-point sanctions compliance program that when applied ahead of a breach, the “OFAC will consider favorably subject persons … at the time of an apparent violation.”

As the laws close in on organizations that are essentially victims themselves, there are no assurances that there won’t be consequences even when the CISO does everything right. “Don’t see much of reward side?” asks Bob West, former CISO and founder of the West Strategy Group. “Neither do I. Federal agencies are using the wrong tactics to get businesses and CISOs to do the right thing. People and businesses respond better to incentives rather than penalties.”